Released 1.36.33 The Memory Remains
Posted: Fri Feb 24, 2023 6:09 pm
# Changes since 1.36.32
- Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
- Add object-src CSP directive to help prevent XSS
- db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
- use detaintPath on modal to prevent including other files instead of real modals
- Check for valid date in minTime and maxTime to prevent SQL attack
- Introduce check_datetime function to validate dates
- Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
- Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
- Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
- test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
- Move actions process to after the unauth check to prevent actions happening when unathentication
- Fix detaintPath not stripping sequences like ..././
- Escape <> in log messages to prevent html shenanigans. Fixes #3596
- Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
- Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes 3510
- Use reload instead of restart on zone save
- Add reload to monitor zmcControl
- Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes 3643
- Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
- Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
- fix format endtime on events list on watch view
- Include command line in debug output when generating images
- Fix missing/corrupted pre-alarm frames in recording. Fixes 3656
- Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes 3657
- Allow viewing of events whose Monitor[Function]=None
- Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes 3655
- Apply chosen styles to dropdowns in Options, allowing text search
- Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
- fixes for freebsd
- Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
- Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes 3488
- Add 2>&1 to command to delete event dir so that we get error messages logged.
- Move code from Event to Storage to implement delete_path()
- Use ajax() instead of getJSON with no timeout when deleting events.
- Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
- Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
- Improve info when moving event to show source and Dest paths
- Remove dead code from report_event_audit.js
- Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
- Add styles to table headers to left align them to match the body
# Vulnerabilities address by this release
https://github.com/ZoneMinder/zoneminde ... -6jjc-cgmw CVE-2023-26036
https://github.com/ZoneMinder/zoneminde ... -q9mw-mwx9 CVE-2023-26032
https://github.com/ZoneMinder/zoneminde ... -2hj3-3733 CVE-2023-26037
https://github.com/ZoneMinder/zoneminde ... -h2pw-cc9g CVE-2023-26039
https://github.com/ZoneMinder/zoneminde ... -r8c4-r24w CVE-2023-2603
https://github.com/ZoneMinder/zoneminde ... -h4vf-29gr CVE-2023-26035
https://github.com/ZoneMinder/zoneminde ... -wh8m-xjrx CVE-2023-26034
https://github.com/ZoneMinder/zoneminde ... -g4qm-jr6v CVE-2023-25825
The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/
Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.
All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.
https://github.com/ZoneMinder/zoneminde ... es/1.36.33
**Full Changelog**: https://github.com/ZoneMinder/zoneminde ... ...1.36.33
- Sanitise attr input in FilterTerm to prevent SQL Injection. Fixes GHSA-222j-wh8m-xjrx
- Add object-src CSP directive to help prevent XSS
- db: Add helper for escaping strings and use it on username retrieved from jwt to prevent SQL injection
- use detaintPath on modal to prevent including other files instead of real modals
- Check for valid date in minTime and maxTime to prevent SQL attack
- Introduce check_datetime function to validate dates
- Attempt to sanitize daemon and arguments before executing commands to prevent executing other programs.
- Use validCardinal on MonitorId when creating snapshots to prevent executing other commands
- Adjust size of text inputs MonitorName and Source Path Filters to match chosen inputs
- test for existence of username in session to prevent error outputs when using AUTH_RELAY=plain
- Move actions process to after the unauth check to prevent actions happening when unathentication
- Fix detaintPath not stripping sequences like ..././
- Escape <> in log messages to prevent html shenanigans. Fixes #3596
- Don't start the statusCmdQuery on streaming start, because it is used when doing still updates. If we start it too fast, zms may not have started yet, causing errors in logs about zms
- Set a short expiry 1min and set the cookie name to include the filter so that each and every filter gets it;s own pagination saved. Fixes 3510
- Use reload instead of restart on zone save
- Add reload to monitor zmcControl
- Stop streams when clicking cancel/Save so that we don't log errors trying to access a dead zms. Fixes 3643
- Adding :80 to address is not worthy of an Error log, fixes warnings in logs from various PTZ scripts
- Add a sleeping flag so that when we get sigterm, we can just exit instead of returning to the sleep. Speeds up zoneminder shutdown
- fix format endtime on events list on watch view
- Include command line in debug output when generating images
- Fix missing/corrupted pre-alarm frames in recording. Fixes 3656
- Remove test for Enabled on monitor. Motion detection being disabled has nothing to do with manual triggering. Fixes 3657
- Allow viewing of events whose Monitor[Function]=None
- Remove stripslashes when saving config values. The values in REQUEST have not been escaped, so strip slashes is not appropriate. Fixes 3655
- Apply chosen styles to dropdowns in Options, allowing text search
- Queue packets instead of packet locks in event thread. Since we are using std::shared_ptr and not modifying the packet, should not need locking. Also, locking in one thread and unlocking in another is apparentlyundefined behaviour and doesn't work infreebsd.
- fixes for freebsd
- Don't wait for decode in Analyze, fixes some hangups on logrotate/shutdown
- Hide timestamp caption from bottom of video.js event view. It serves no purpose. Fixes 3488
- Add 2>&1 to command to delete event dir so that we get error messages logged.
- Move code from Event to Storage to implement delete_path()
- Use ajax() instead of getJSON with no timeout when deleting events.
- Update monitor preset view: Use a submit button instead of input with javascript. Remove no longer needed js code. Sort presets by Name.
- Fix saving Server modal. Form was incomplete, action and view were duplicated. Don't need javascript just use the submit button Save.
- Improve info when moving event to show source and Dest paths
- Remove dead code from report_event_audit.js
- Use Y-m-d H:i:s instead of c for date formatting to match what datetimepicker expects. remove unused action input and put view in the get part of form action
- Add styles to table headers to left align them to match the body
# Vulnerabilities address by this release
https://github.com/ZoneMinder/zoneminde ... -6jjc-cgmw CVE-2023-26036
https://github.com/ZoneMinder/zoneminde ... -q9mw-mwx9 CVE-2023-26032
https://github.com/ZoneMinder/zoneminde ... -2hj3-3733 CVE-2023-26037
https://github.com/ZoneMinder/zoneminde ... -h2pw-cc9g CVE-2023-26039
https://github.com/ZoneMinder/zoneminde ... -r8c4-r24w CVE-2023-2603
https://github.com/ZoneMinder/zoneminde ... -h4vf-29gr CVE-2023-26035
https://github.com/ZoneMinder/zoneminde ... -wh8m-xjrx CVE-2023-26034
https://github.com/ZoneMinder/zoneminde ... -g4qm-jr6v CVE-2023-25825
The bulk of these issues were found during Perfect Blue's 2023 CTF event. https://ctf.perfect.blue/
Thank you to the participants and thanks for the responsible disclosures. We are stronger for it.
All users of ZoneMinder < 1.36.33 are hereby EXTREMELY STRONGLY recommended to update.
https://github.com/ZoneMinder/zoneminde ... es/1.36.33
**Full Changelog**: https://github.com/ZoneMinder/zoneminde ... ...1.36.33